I have a PC set up for pentesting, and I am still building it, finding programs ect. Two issues, 1. I am fairly certain I am getting good downloads from the official sites, except in one notable case, the windows binary is no longer maintained and of course now I have something listening I can see in netstat connection 220.90.198.65 port 1064 supposedly the JSTEL service. I have blocked the connection at the Windows Firewall, and redirected it to localhost through the hosts file, but I am not sure if this really is malicious, or a side effect of a legit program.

So I could use any advice on determining the nature of this connection.

2. because I am downloading applications that will be detected by my a/v, how can I distinguish between a hacking tool, and malware?

As ziggy_567 mentioned, capturing traffic and viewing the captured packets might give you an idea what connections are being created and the relative destination address. You could also use TCPView from Sysinternals to gather more information about the connections on your computer: http://technet.microsoft.com/en-us/sysi ... s/bb897437Using TCPView, you can highlight the connection and view properties of that process (if possible) which might give you more information on what application created the connection.

Regarding setting up a lab, what I like to do is not install any A/V on the attacking/testing machine, I also make sure that this machine is isolated from the rest of my machines, I also ensure that this machine never connects to the internet once I'm done setting it up.

Last edited by Data_Raid on Mon Jan 10, 2011 4:42 pm, edited 1 time in total.

Yeah, Sam Spade told me a little about it I am in Korea, which made me think the traffic was legit, all of those server do appear to be legitly tied to MS. I wonder if some MS program is phoning home?...

i'll create small trojan file but i cannot send it in email to another party. because yahoo identified it is an virus. and i use obsidium and poison ivy to create undetectable trojan file but i cannot win it.

Open a command prompt and type "netstat -nao" (without the quotes). That'll give you the process IDs. You can then kill the Process ID of the offending program. You can also use ProcessHacker, a freeware program, that'll give more info but you have to know what you're doing with handles, etc. You could also install sandboxie and buster, start buster, load the program in sandboxie and then watch what the program is doing with buster.

There's bunches of other ways as well but those are the easiest for beginners. If you want to dig even deeper, try some of the tools listed in the Malware Cookbook (hint: look through the index on the Amazon page to see all the different tools).

Almost forgot- GMER and IceSword are good Windows tools you could try as well.

Last edited by WCNA on Wed Apr 13, 2011 1:30 pm, edited 1 time in total.

I want to be a create undetectable trojan . ill create trojan file but it is detecting like virus how can i set this trojan undetectable. i ll tried to use poison ivy, obsidiumsetup and more how can i create this trojan file to undetectable virus.